Cybercrime Research: For the Greater Good, or Marketing?As Governments Underinvest in Law Enforcement, Private Firms Fill Intelligence Gap
U.S. prosecutors this week revealed a newly unsealed 2018 indictment against the alleged hacker "Fxmsp" after his identity was revealed in a cybersecurity firm's report. That sequence of events has highlighted the importance of information sharing as well as law enforcement's reliance on private cybersecurity researchers. And it raised questions about the line between serving the public good and a private firm's bottom line (see: Fxmsp Probe: Feds Say Group-IB Report Forced Its Hand).
See Also: What is next-generation AML?
On Tuesday, a federal judge approved a U.S. attorney's request to unseal an indictment and arrest warrant against Kazakhstan national Andrey Turchin, 37, who's been charged with five felony counts of computer fraud and abuse, wire fraud and access device fraud. The request was made after Turchin was named as being Fxmsp in a report published last month by Group-IB (see: Studying an 'Invisible God' Hacker: Could You Stop 'Fxmsp'?).
"Research by private companies is becoming not only a tool to tackle those behind cyberattacks, but also a key marketing tool in many companies' arsenals."
But prosecutors said another reason for the court documents to be unsealed is that they believe that Turchin already knew of the U.S. charges against him, including allegations that his Fxmsp operation hacked into at least 300 organizations globally, including 34 in the U.S. The Justice Department didn't immediately respond to a request for comment about how Turchin might have known of the charges against him.
On June 23, cybersecurity firm Group-IB, which is based in Moscow but opened a global headquarters last year in Singapore, desecribed Fxmsp's operations in a lengthy report designed to help organizations protect themselves against copycat attackers.
Prosecutors, in their court filing, notably steer clear of denigrating the work of any cybersecurity researchers.
"Given the group's prolific nature, sophistication, and notable victims, 'Fxmsp' and his accomplices, commonly referred to collectively as the 'Fxmsp' group, have been a subject of interest of cybersecurity researchers," prosecutors told the court in their motion to unseal the records, which references the Group-IB report. "In addition to tracking 'Fxmsp's' evolution and his group's exploits and list of victims, this report publicly identified 'Fxmsp' as Andrey Turchin, of Kazakhstan, and provided a detailed explanation of the researchers' attribution determination."
Naming Suspected Criminals
Should Group-IB have published its detailed analysis of the hacker's identity? To be clear, there are no rules against doing so, although attribution can be tricky.
"For security researchers, it's a real conundrum about whether they name people because they, of course, don't know what law enforcement operations are going on," says cybersecurity expert Alan Woodward, a computer science professor at the University of Surrey in England. "It's also a bit dangerous to name people anyway because, as we know, attribution is difficult."
Group-IB tells me that one month before publishing the report, it provided it to two international law enforcement organizations to make sure that there weren't any active investigations that they might be inadvertently impeding, and it wasn't told to hold fire.
The two law enforcement organizations, while not specified to me, were likely Interpol and Europol, both of which have FBI liaisons. Of course, that doesn't mean that the FBI wanted to reveal any information to Group-IB about in-progress operations.
"How do I put it? The information sharing even within the law enforcement community is not always everything it could be," says Woodward, who's previously worked with the U.K. government and the EU's law enforcement intelligence agency, Europol.
"I mean when they get it right it's quite spectacular," he adds, referring in particular to last week's crackdown on EncroChat, the encrypted cellular network to which police gained access. That operation, led by French and Dutch law enforcement agencies, with the assistance of Europol - the EU's law enforcement intelligence agency - and the EU Agency for Criminal Justice Cooperation, known as Eurojust, resulted in 746 arrests in Britain alone, where 10,000 of EncroChat's 60,000 customers were based (see: European Police Hack Encrypted Communication System).
Woodward says numerous big cybersecurity firms, including organizations such as Group-IB, have advisers that communicate with him and participate in working groups run by Interpol and Europol. "But whether Europol knew what was actually happening or not, who knows?" he says, referring to the Fxmsp case, which the U.S. Justice Department this week said remains ongoing and could result in the arrest of accomplices.
"Interpol and Europol are not always told what's going on with national efforts; that's where things might go slightly awry. And it shows really that perhaps more of the coordination role - the sorts of things that Interpol, Europol and Ameripol do, actually - it would be really good if there was a bit more of ... sharing what operations were going on," Woodward says. "But of course, the fear is, the more information you share ... the more likely that it might leak out and the criminals get a head start and can get away."
A competitor of Group-IB - U.S. threat-intelligence firm Intel 471 - criticized Group-IB for publishing its report. Intel 471, together with FireEye's Mandiant, was among the security firms that shared intelligence with the FBI. Intel 471 has accused Group-IB of releasing its report "for publicity and marketing under the guise of supporting the greater good."
Commercial companies outing cybercriminals for publicity and marketing under the guise of supporting the greater good and without proper coordination and deconfliction with LE is rarely constructive and often harms law enforcement efforts [02/05]— Intel 471 (@Intel471Inc) July 8, 2020
Research Versus Marketing
Where is the line between research and marketing?
For starters, it's important to note that cybersecurity research has been a force for good. In an interview at Black Hat Europe in London in December 2019, Jake Williams, who heads cybersecurity consultancy Rendition Infosec and previously served as a network exploitation operator with the U.S. Department of Defense, told me that the move in recent years by private cybersecurity firms to publicly document how advanced attackers were hacking into organizations' networks was a watershed. Threat intelligence firms releasing in-depth research into how alleged Russian hackers hit the U.S. Democratic National Committee and how alleged Chinese hackers hit the Office for Personnel Management has been instrumental in helping cybersecurity professionals learn how to better defend their organizations. Organizations can build on each other's research as well as collaborate (see: Cybersecurity Defenders: Channel Your Adversary's Mindset).
But when weighing how research might also serve a cybersecurity firm's marketing needs, the picture is complicated by years of underinvestment in law enforcement, says Brian Honan, who heads Dublin-based cybersecurity consultancy BH Consulting and serves as a cybersecurity adviser to Europol.
"What we are experiencing today is the result of successive governments in many countries not investing or resourcing law enforcement agencies to tackle the growing threat of cybercrime," Honan tells me.
"In the past, many governments viewed cybercrime as an IT problem rather than a societal one, and therefore it was something better left to the IT industry to address. As a result, many cybersecurity companies have more staff - and can pay those staff better than if they joined law enforcement - and more resources to investigate cybercrime than many police forces do," Honan says.
Hence, many law enforcement agencies rely heavily on private cybersecurity firms to help them build cases. "However, it is now getting to the stage where research by private companies is becoming not only a tool to tackle those behind cyberattacks, but also a key marketing tool in many companies' arsenals," he says. "This can lead to the race for private companies to get their research published for marketing gain, and is something that could potentially undermine or conflict with law enforcement investigations."
But he adds: "Governments are now taking the threat from cybercriminals more seriously and rightly recognize it to be a societal and economic threat rather than an IT problem." So they've been putting in place better information sharing arrangements. "We need to continue to build on these public/private cooperation models, to lobby governments to properly fund and support law enforcement cybercrime agencies, and to push for better international legal frameworks to support the fight against cybercrime."
In the case of Group-IB's report, no one is questioning its technical bona fides. Per the U.S. indictment, the firm named an individual that the the FBI also thinks is Fxmsp.
"Our research was primarily focused on examining the threat actors' activities and TPPs [techniques, tactics and procedures] with the aim to provide businesses with comprehensive recommendations on how to avoid attacks similar to those conducted by Fxmsp," Group-IB CTO Dmitry Volkov tells me.
In addition, the report was published more than a year after Fxmsp appeared to have gone quiet in May 2019, when the group's attempt to sell access to three anti-virus vendors' networks and their source code was outed by New York-based threat intelligence firm Advanced Intelligence, in its own report. It appears to have driven Fxmsp off of the cybercrime forums it relied on to market its wares (see: Fxmsp Hackers Behind AV Source Code Heist: Still Operating?).
Add this geopolitical wrinkle: Kazakhstan has no extradition treaty with the U.S., which may explain why Turchin hasn't yet appeared in an American courtroom 18 months after being indicted. Perhaps the FBI was hoping he'd vacation in a country that's friendly with the U.S., so the bureau could nab him (see: Hackers' Vacation Plans in Disarray After Prague Arrest).
What more might Group-IB have done? "In this case, they did ask [law enforcement] - not that they need permission - but as it turns out, the guy was already aware, and I don't think it did any real harm or damage to the case," Woodward says.
But the report does appear to have added a wrinkle for the U.S. investigation, plus by extension any other countries that are investigating Fxmsp. So, should Group-IB have held fire? If so, for how long? Where is the line between doing good and marketing? This case obviously prompts those questions, and perhaps no easy answers.